Notifications
Clear all
Topic starter
07/06/2026 11:29 am
TL;DR: AI agents are moving into production identity stacks, and Descope’s framing around accountable identity shows why traditional IAM assumptions break when software can act, decide, and call tools on its own. The shift is not cosmetic: access governance must account for runtime behaviour, not just issued credentials.
NHIMG editorial — based on content published by Descope: How We Built Accountable Identity for Shuni, Our AI Coding Agent
Questions worth separating out
Q: How should security teams govern AI agent identities in existing IAM programmes?
A: Treat AI agents as governed actors with their own ownership, scope, and audit trail rather than as ordinary service accounts.
Q: Why do AI agents complicate traditional identity governance?
A: AI agents complicate identity governance because their actions can vary at runtime, even when the underlying identity stays the same.
Q: What breaks when an AI agent is managed like a normal service account?
A: Ownership, auditability, and revocation discipline usually break first.
Practitioner guidance
- Define agent ownership and purpose boundaries Assign a named business owner, a technical custodian, and a documented purpose for each agent identity so every action path has accountable oversight.
- Map every agent tool to explicit policy Inventory the tools an agent can reach, then classify each one by data sensitivity, privilege level, and approval requirement before enabling runtime use.
- Separate agent identity from ordinary workload identity Do not fold AI agents into generic service-account handling.
What's in the full article
Descope's full article covers the operational detail this post intentionally leaves for the source:
- How Descope structures accountable identity for an AI coding agent in practice
- The specific controls used to trace agent actions back to an owning team
- Implementation detail on identity boundaries for agent tool access and delegation
- The product context around Descope's AI agent and admin portal updates
👉 Read Descope's analysis of accountable identity for AI agents →
AI agent identity governance: what IAM teams need to know?
Explore further
07/06/2026 11:31 am
AI agent identity is not just NHI with a new label. The governance problem changes when a software actor can choose actions at runtime rather than merely execute fixed jobs. That means authentication, rotation, and revocation remain necessary but no longer sufficient as the primary control model. The practitioner conclusion is that agent identity must be governed as an active decision-making subject, not a static credential holder.
A few things that frame the scale:
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
- Only 5.7% of organisations have full visibility into their service accounts, which helps explain why identity governance often lags behind operational change.
A question worth separating out:
Q: Who should be accountable for AI agent access decisions and outcomes?
A: Accountability should sit with the business owner of the agent, the technical team that operates it, and the identity team that enforces the policy boundary. If any of those roles is missing, the organisation loses clear ownership for approvals, exceptions, and incident response when the agent acts outside expectations.
👉 Read our full editorial: IAM adapts to secure AI agents through accountable identity
